valleyforge/resist-vpn-infra
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cb2172a7aa
resist-vpn-infra/roles/system_hardening/tasks/sysctl_cis.yml
Sparticus 28db1d2104 CIS + inital
2026-01-26 21:22:41 -05:00

158 lines
3.8 KiB
YAML
Raw Blame History

---
# CIS-Compliant Sysctl Parameters
# CIS 3.1.1 - Disable IP forwarding (unless VPN server needs it)
- name: Disable IPv4 forwarding
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '1' # Enabled for VPN server
state: present
sysctl_set: yes
reload: yes
# CIS 3.1.2 - Disable packet redirect sending
- name: Disable send packet redirects
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
state: present
sysctl_set: yes
reload: yes
loop:
- net.ipv4.conf.all.send_redirects
- net.ipv4.conf.default.send_redirects
# CIS 3.2.1 - Do not accept source routed packets
- name: Disable source routed packets
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
state: present
sysctl_set: yes
reload: yes
loop:
- net.ipv4.conf.all.accept_source_route
- net.ipv4.conf.default.accept_source_route
- net.ipv6.conf.all.accept_source_route
- net.ipv6.conf.default.accept_source_route
# CIS 3.2.2 - Do not accept ICMP redirects
- name: Disable ICMP redirects
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
state: present
sysctl_set: yes
reload: yes
loop:
- net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects
- net.ipv6.conf.all.accept_redirects
- net.ipv6.conf.default.accept_redirects
# CIS 3.2.3 - Do not accept secure ICMP redirects
- name: Disable secure ICMP redirects
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
state: present
sysctl_set: yes
reload: yes
loop:
- net.ipv4.conf.all.secure_redirects
- net.ipv4.conf.default.secure_redirects
# CIS 3.2.4 - Log suspicious packets
- name: Enable suspicious packet logging
ansible.posix.sysctl:
name: "{{ item }}"
value: '1'
state: present
sysctl_set: yes
reload: yes
loop:
- net.ipv4.conf.all.log_martians
- net.ipv4.conf.default.log_martians
# CIS 3.2.5 - Ignore broadcast ICMP requests
- name: Ignore ICMP broadcast requests
ansible.posix.sysctl:
name: net.ipv4.icmp_echo_ignore_broadcasts
value: '1'
state: present
sysctl_set: yes
reload: yes
# CIS 3.2.6 - Ignore bogus ICMP responses
- name: Ignore bogus ICMP error responses
ansible.posix.sysctl:
name: net.ipv4.icmp_ignore_bogus_error_responses
value: '1'
state: present
sysctl_set: yes
reload: yes
# CIS 3.2.7 - Enable reverse path filtering
- name: Enable reverse path filtering
ansible.posix.sysctl:
name: "{{ item }}"
value: '1'
state: present
sysctl_set: yes
reload: yes
loop:
- net.ipv4.conf.all.rp_filter
- net.ipv4.conf.default.rp_filter
# CIS 3.2.8 - Enable TCP SYN cookies
- name: Enable TCP SYN cookies
ansible.posix.sysctl:
name: net.ipv4.tcp_syncookies
value: '1'
state: present
sysctl_set: yes
reload: yes
# CIS 3.2.9 - Do not accept IPv6 router advertisements
- name: Disable IPv6 router advertisements
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
state: present
sysctl_set: yes
reload: yes
loop:
- net.ipv6.conf.all.accept_ra
- net.ipv6.conf.default.accept_ra
# Additional hardening
- name: Disable IPv6 (if not used)
ansible.posix.sysctl:
name: "{{ item }}"
value: '1'
state: present
sysctl_set: yes
reload: yes
loop:
- net.ipv6.conf.all.disable_ipv6
- net.ipv6.conf.default.disable_ipv6
when: disable_ipv6 | default(false)
# CIS 1.5.2 - Enable ASLR
- name: Enable address space layout randomization
ansible.posix.sysctl:
name: kernel.randomize_va_space
value: '2'
state: present
sysctl_set: yes
reload: yes
# CIS 1.5.1 - Restrict core dumps
- name: Restrict core dumps
ansible.posix.sysctl:
name: fs.suid_dumpable
value: '0'
state: present
sysctl_set: yes
reload: yes
Reference in New Issue View Git Blame Copy Permalink